Description:

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. A certificate authority (CA) is an entity that issues digital certificates.


Rationale:

Certificate Transparency logging guards against SSL/TLS certificates that are issued by mistake or by a compromised CA, some browsers require that public certificates issued for your domain be recorded in a certificate transparency log. The domain name is recorded. The private key is not. Certificates that are not logged typically generate an error in the browser.


Impact:

Before the Amazon CA issues a publicly trusted SSL/TLS certificate for your domain, it submits the certificate to at least two certificate transparency log servers. These servers add the certificate to Version 1.0 122 Amazon Certificate Manager User Guide Domain Name System their public databases and return a signed certificate timestamp (SCT) to the Amazon CA. The CA then embeds the SCT in the certificate, signs the certificate, and issues it to you. The timestamps are included with other X.509 extensions.

You can monitor the logs to make sure that only certificates you have authorized have been issued for your domain.


Default Value:

Certificate transparency logging is automatic when you request or renew a certificate unless you choose to opt out i.e., ACM logs all new and renewed certificates by default. If you don’t want a certificate to be logged, you’ll be able to opt out using the AWS API or CLI. 


Audit:

  1. List Certificates

    aws acm list-certificates
      [--certificate-statuses <value>]
      [--includes <value>]
      [--max-items <value>]
      [--cli-input-json <value>]
      [--starting-token <value>]
      [--page-size <value>]
      [--generate-cli-skeleton <value>]

    This retrieves a list of certificate ARNs and domain names.

  2. Get details of that certificate

    aws acm describe-certificate
      --certificate-arn <value>
      [--cli-input-json <value>]
      [--generate-cli-skeleton <value>]



Remediation:

Pre-Requisite:

  • Turn on CloudTrail logging before you begin using ACM. 

  • Access to AWS CLI or AWS API


 Implementation steps: 

Detailed syntax:

aws acm update-certificate-options
  --certificate-arn <value>
  --options ENABLED
  [--cli-input-json <value>]
  [--generate-cli-skeleton <value>]


Shorthand syntax:

CertificateTransparencyLoggingPreference=ENABLED


JSON Syntax:

{
  "CertificateTransparencyLoggingPreference": "ENABLED"
}


Backout Plan:

If you don’t want to have transparency logging enabled on the AWS Certificate Manager, disable it by specifying DISABLED in the options.

aws acm update-certificate-options
  --certificate-arn <value>
  --options DISABLED
  [--cli-input-json <value>]
  [--generate-cli-skeleton <value>]


Shorthand syntax:

CertificateTransparencyLoggingPreference=DISABLED


JSON Syntax:

{
  "CertificateTransparencyLoggingPreference": "DISABLED"
}


Note:

  • These logs do not contain the private key for your certificate. 

  • You cannot use the console to enable or disable transparency logging.

  • If you opt out of logging when you request a certificate and then choose later to opt back in, your certificate will not be logged until it is renewed. 

  • You cannot change logging status after a certificate enters its renewal period, typically 60 days before certificate expiry. No error message is generated if a status change fails.



Reference:

https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-ct

acm — AWS CLI 1.20.58 Command Reference 

update-certificate-options — AWS CLI 1.20.58 Command Reference